, SecurityFocus 2008-02-18
A scientific paper discussing theories of information propagation reopened the debate on beneficial worms last week, after one of the authors -- a researcher at Microsoft -- told reporters that the company could benefit from making software updates spread more like computer worms.
The paper, Sampling Strategies for Epidemic-Style Information Dissemination, investigates the best way to propagate information or code on a subdivided network, such as the Internet. One of the authors -- Milan Vojnovic of Microsoft Research in Cambridge, U.K. -- described an aim of the study as developing a way for software patches to be distributed faster and with less load on a single server, according to an article appearing Thursday in the online edition of the U.K.-based NewScientist magazine.
While the concept of a beneficial worm is not new, it remains controversial and security professionals quickly panned the idea.
"There is nothing like a 'friendly' worm," Robert Sandilands, director of antivirus for security firm Authentium, wrote on the company's Virus Blog on Friday. "If you look at the history of 'attempts' to do this you will see that they always caused more problems than they fixed. Even if that is not enough motivation then just looking at the ethical issues surrounding the writing of malware you would think that responsible people would avoid it."
In an e-mail interview, Microsoft's Vojnovic stressed that the purpose of the research is to investigate means of distributing information to a network, not necessarily to create practical "good" worms.
My focus is fundamental research on improving the efficiency of data distribution of all types across networks, and isnt limited to certain scenarios or types of data, but investigating underlying networking techniques," Vojnovic stated. "Using understanding from the field of epidemiology is one of the methods that were investigating in this area, and we hope that our research will help inform future computer science research and networking technology."
The topic of whether self-propagating code can have beneficial uses has cropped up every few years among researchers in the security community. In 2006, researcher David Aitel of security firm Immunity suggested that a sufficiently restricted self-propagating program could be used to find machines in a network that lack a certain patch and fix them. In 2004, Hewlett-Packard researchers suggested using malicious code -- though, not necessarily worm-like code -- to infect machines as a way of patching the systems or notifying the users that they needed to patch.
Many of the ideas can trace their roots back to a paper written by antivirus researcher Vesselin Bontchev, who concluded in 1994 that 'good' viruses are possible, but that the safeguards and limitations on the programs would mean that the resulting code would not resemble what most people considered a virus.
Attempts at creating 'good' worms have failed, many times because the writers did not adopt the safeguards outlined in the Bontchev paper. In 1982, prior to Bontchev's work, two Xerox Palo Alto Research Center (PARC) researchers John Shoch and Jon Hupp coined the term 'worm' for a program that spread around their 100-computer network updating drivers. A flipped bit in the program caused the resulting worm to spread uncontrollably and clog the network.
In an incident that draws significant parallels, the Welchia worm -- a variant of the MSBlast, or Blaster, worm -- had seemingly been created to fix the vulnerability exploited by the MSBlast worm, but had serious programming errors that caused the program to aggressively scan for new hosts. The resulting worm had a larger impact on many of the networks it infiltrated than the MSBlast worm itself, effectively shutting them down.